search

BlindMindStudios / StarRuler2-Source

4X Space Strategy game Star Ruler 2's open source distribution.
http://starruler2.com
Other
1.46k stars 246 forks source link

net::Message::hasFlags() invalid memory access #52

Open l29ah opened 6 years ago

l29ah commented 6 years ago

Encountered during a save file load. Looks like Message constructor has no checks on the sanity of the buffer being passed to it. As seen by gcc's sanitizer:

==9099==ERROR: AddressSanitizer: heap-buffer-overflow on address 0x6020003e8250 at pc 0x55c1c3f5032e bp 0x7f67d737c7d0 sp 0x7f67d737c7c0
READ of size 6 at 0x6020003e8250 thread T261
    #0 0x55c1c3f5032d in net::Message::hasFlags() const source/network/source/message.cpp:303
    #1 0x55c1c3f4c3ff in net::Message::setPacket(char*, unsigned int) source/network/source/message.cpp:98
    #2 0x55c1c3a0da0d in scripts::Manager::load(SaveFile&) source/game/scripts/manager.cpp:1371
    #3 0x55c1c31cb8e3 in loadGame(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) source/game/main/save_load.cpp:301
    #4 0x55c1c30ec290 in operator() source/game/main/initialization.cpp:1492
    #5 0x55c1c310e4c3 in _M_invoke /usr/lib/gcc/x86_64-pc-linux-gnu/8.2.0/include/g++-v8/bits/std_function.h:282
    #6 0x55c1c3f06619 in std::function<int ()>::operator()() const /usr/lib/gcc/x86_64-pc-linux-gnu/8.2.0/include/g++-v8/bits/std_function.h:687
    #7 0x55c1c3f03e50 in threads::asyncWrapper(void*) source/os/source/threads.cpp:9
    #8 0x55c1c3f06b10 in threads::startThread(void*) source/os/source/threads_gcc.cpp:26
    #9 0x7f689b946969  (/lib64/libpthread.so.0+0x7969)
    #10 0x7f689a2ee5fe in clone (/lib64/libc.so.6+0x1035fe)

0x6020003e8252 is located 0 bytes to the right of 2-byte region [0x6020003e8250,0x6020003e8252)
allocated by thread T261 here:
    #0 0x7f689cfc4090 in __interceptor_malloc /var/tmp/portage/sys-devel/gcc-8.2.0-r3/work/gcc-8.2.0/libsanitizer/asan/asan_malloc_linux.cc:86
    #1 0x55c1c3f4bcfa in net::Message::Buffer::copyPacket(unsigned char*, unsigned int) source/network/source/message.cpp:60
    #2 0x55c1c3f4c0fb in net::Message::setPacket(char*, unsigned int) source/network/source/message.cpp:87
    #3 0x55c1c3a0da0d in scripts::Manager::load(SaveFile&) source/game/scripts/manager.cpp:1371
    #4 0x55c1c31cb8e3 in loadGame(std::__cxx11::basic_string<char, std::char_traits<char>, std::allocator<char> > const&) source/game/main/save_load.cpp:301
    #5 0x55c1c30ec290 in operator() source/game/main/initialization.cpp:1492
    #6 0x55c1c310e4c3 in _M_invoke /usr/lib/gcc/x86_64-pc-linux-gnu/8.2.0/include/g++-v8/bits/std_function.h:282
    #7 0x55c1c3f06619 in std::function<int ()>::operator()() const /usr/lib/gcc/x86_64-pc-linux-gnu/8.2.0/include/g++-v8/bits/std_function.h:687
    #8 0x55c1c3f03e50 in threads::asyncWrapper(void*) source/os/source/threads.cpp:9
    #9 0x55c1c3f06b10 in threads::startThread(void*) source/os/source/threads_gcc.cpp:26
    #10 0x7f689b946969  (/lib64/libpthread.so.0+0x7969)

Thread T261 created by T0 here:
    #0 0x7f689cf20bf3 in __interceptor_pthread_create /var/tmp/portage/sys-devel/gcc-8.2.0-r3/work/gcc-8.2.0/libsanitizer/asan/asan_interceptors.cc:202
    #1 0x55c1c3f06d69 in threads::createThread(unsigned int (*)(void*), void*) source/os/source/threads_gcc.cpp:41
    #2 0x55c1c3f03edc in threads::async(std::function<int ()>) source/os/source/threads.cpp:16
    #3 0x55c1c30edba7 in initGame() source/game/main/initialization.cpp:1489
    #4 0x55c1c3c89c24 in main source/game/main.cpp:836
    #5 0x7f689a20cae6 in __libc_start_main (/lib64/libc.so.6+0x21ae6)
l29ah commented 6 years ago

Interestingly, the error occurs on loading a newly created and immediately saved game.